I'm doing local azure function development for an MSI-enabled application using Visual Studio 2017 v15.6.2 with the Azure Services Authentication Extension installed. The identity I have to work with in the target subscription has access to multiple tenants and subscriptions within those tenants.

Before I installed the add-in I was able to use the Azure CLI to set the default subscription/tenant using az account set -subscripton TARGET-SUB-NAME. az account show confirmed that I had selected the correct subscription and everything worked well.

Since installing the VS extension I can no longer access the resources in the target subscription because the extension has no way to select the default tenant/subscription combo. The CLI still shows the target subscription, but JWTs that are generated by GetAccessTokenAsync("https://management.azure.com/"); calls show that the tokens are being requested with the identity's default subscription (tid in the token).

Is there a way to set the default subscription for the extension or otherwise get around this blocker?

I managed to get around the shortcomings of the Azure Service Authentication feature (which is no longer an extension, but built into VS.net 2017) by following the instructions on this page.

Specifically, I used the connection string RunAs=Developer; DeveloperTool=AzureCli in the environmental variable AzureServicesAuthConnectionString and was able to return control to the CLI.